Universal computer management interface

ABSTRACT

An integrated computer management apparatus allowing a networked administrator to manage a computer via multiple connection types and protocols. A preferred embodiment of the device has a network connection for the administrative users, coupled via an internal Ethernet switch and a processor to keyboard-video-mouse, serial, and Ethernet computer connections. Depending on hardware characteristics, operational status, OS, and administrator preferences any of these may be used to provide remote computer system management functions. Software running on the processor can provide direct logical connection between the remote administrator and a management port; may serve web pages graphically interpreting data gleaned from one or more of the connections; can provide protocol translation or proxy services; or locally execute an intelligent management agent. The device can be physically small enough to be supported by its connecting cables, and receives power from the attached computer.

CROSS REFERENCE TO RELATED APPLICATION

This application is a continuation of pending U.S. application Ser. No.11/366,310 filed on Mar. 1, 2006, which is hereby incorporated byreference in its entirety.

FIELD OF INVENTION

The field of invention is remote management of computers via networkconnection.

BACKGROUND

As the number of computers in corporate networks has grown, along withthe number of operating systems and applications running on thosecomputers, the time and effort required to monitor the status of thesecomplex hardware/software systems has increased commensurately. Hardwaredevices such as disk drives and power supplies are prone to failure,environmental conditions such as overheating can result in erraticoperation, and software on many layers has a well-deserved reputationfor becoming non-responsive or “hanging.” Monitoring the status of acomputer and taking action to recover from an abnormal condition is partof what is known as computer system management, and generally requireseither human intervention by an administrator or, more recently, anintelligent software agent making decisions based on the same sort ofinputs used by human administrators. If every computer had its ownperipherals of monitor, keyboard, and mouse in order for system managers(human or automated) to determine its health and take corrective actionwhen needed, the cost, space, and power requirements for a large numberof computers could be enormous. In addition, the manpower requirementsfor operating such an inefficient architecture would add significantongoing cost to the organization.

Hence, computer manufacturers early on began to incorporate devices andmethods to make management of their equipment easier and more scalable.Software suppliers such as Microsoft also have developed and refinedtools for this purpose. Because of the many potential failure modes andindividual system administrators' preferences for how to deal with theirconfigurations a plethora of these system management mechanisms exist,but generally they can be classified into two categories: in-band andout-of-band management. In-band management relies upon fully functionalhardware, operating system, and network connection; it allowsadministrators in an enterprise environment to perform day-to-dayoperation of dozens to thousands of computers from one or moremanagement consoles. Typical tasks performed with in-band managementtools include user/account administration and reporting, backup andrestore operations, usage measurement and analysis, application softwareloading and execution, operating system patch installation, etc. Whileroutine health monitoring can be performed with in-band managementtools, if one of the tools' underlying software or hardware componentsfails then that communication path may be rendered nonoperational. Aseparate, “out-of-band,” connection is required in order to diagnose theproblem and attempt to return the system to a fully operationalcondition. The general area of the present invention is this out-of-band(“OOB”) management, and specifically relates to integrating a number ofdifferent out-of-band management techniques into one device.

Out-of-band management interfaces to computers are implemented in anumber of different ways. If the computer's CPU and operating system arefunctional to some degree, one of the serial ports (COM ports) may beused to communicate with management services supported by a subset ofthe operating system. Microsoft's Emergency Management Services (“EMS”)is an example of this. Rather than using a full graphical user interface(GUI) operating over the network connection, which requires manydifferent system resources to be functioning correctly, EMS uses asimple text command line via serial port to perform low-level diagnosticand corrective operations.

Another management technique which is becoming common is to embed asmall service processor on the computer's main board. This serviceprocessor is independent of the main CPU and hence can continue tooperate even when there is a hardware or software failure that disablesthe main CPU. The service processor (also known as a BaseboardManagement Controller) can have a number of inputs for sensorsmonitoring conditions such as temperature and fan speed, and can havethe ability to restart the main CPU or even cycle power to the computer.In order to ensure full operation of the service processor even when themain CPU and/or its primary network connection are down, the serviceprocessor typically has its own physical interface, either a serial portor a network (e.g. Ethernet) connection independent of the main network.The service processor may also share the main network connection in whatis known as a “sideband,” if the hardware is designed for it.Communication with an embedded service processor has traditionallyinvolved proprietary, manufacturer-specific protocols such as HP®Integrated Lights Out (iLO) or Sun® Advanced Lights Out Manager (ALOM),but standardization on a protocol known as Intelligent PlatformManagement Interface (IPMI) is underway.

A third fundamental method of OOB management is known as digital KVM(Keyboard, Video, Mouse). With this, the computer's keyboard, mouse, andvideo monitor ports are used for communication independent of the mainnetwork connection, just as they do when a human being is sitting infront of those peripherals. A (hardware) device can capture the videooutput intended for a monitor, digitize it, and make it available over anetwork connection to a remotely located system administrator. The samedevice can emulate the keyboard and mouse signals (either in native PS/2format or via Universal Serial Bus (USB)) that the computer expects tosee on those inputs, allowing the remote administrator to interact withthe computer just as if he had a physically connected keyboard, mouse,and monitor. Such KVM devices are commercially available, either withindividual computer connections or combined with an analog KVM switch sothat multiple computer KVM interfaces may share one network connection.

To summarize, out-of-band system management may take place via threetypes of hardware connection: network, serial, or KVM. Differing levelsof management software communicate over one of these hardware interfaceseither with the main CPU or an independent service processor. FIG. 1shows the various connections and their relationship to systemoperational state. In locations with a large number of computers,integrating these disparate interfaces can require a significantmanagement infrastructure of cabling and equipment. Ethernet switchesare used to aggregate network connections; each computer using amanagement LAN connection (almost always Ethernet) will have cablesrunning from centralized data center switches to both the main LAN port(for application communication with the outside world) and to thededicated management LAN port. If serial OOB management is to be used,terminal concentrators (also known as terminal servers or consoleservers) combine a number of serial connections and make them availableremotely via a network connection. This requires another cable from theterminal concentrator to the computer's COM port or dedicated serialmanagement port. For KVM management, the situation is even morecomplicated due to the limited distance that the keyboard, mouse, andvideo signals can travel. A transceiver unit (about the size of a smallcell phone) connects via short cables to the computer's keyboard, mouse,and video ports. The transceiver contains circuitry that extends theseconnections over a distance of cable ranging from 10 m to 100 m,depending on manufacturer, to a KVM switch chassis. This KVM switchaggregates a number of these connections and makes access to themavailable over a network connection.

Hence, to cover all OOB management interface possibilities, each managedcomputer requires three separate cables, connecting to four types ofequipment: Ethernet switch, terminal concentrator, KVM transceiverdongle, and KVM switch. FIG. 2 illustrates this prior art configuration.Outside of the transceiver, all of these units are chasses which take uprack space and require AC power connections in data centers where bothare at a premium. And in large data centers, keeping track of all of thecables can be a significant task in and of itself. On a hardware level,a device that reduces the number of equipment types by aggregating allof the various computer system management connections onto oneadministrative user connection would have considerable value over priorart in solving these problems. Ideally, the device would be compact insize, not requiring rack space, and low in power consumption.

Once the hardware connections are taken care of, the actual systemmanagement operations needing to performed by administrators can betime-consuming and hence expensive. Typical management functions aredescribed using the acronym MILARRS in U.S. patent application Ser. No.11/031,643 entitled “MILARRS Systems and Methods,” filed Jan. 7, 2005,the entire disclosure of which is incorporated herein by reference.MILARRS stands for Monitoring the state of the system for anadministrator; Inventory the system's sub-systems, components, orassets; Logging data or events generated by the system; Alerting anadministrator of system state or taking action based defined rules;Recovering the system if it fails or shuts down; Reporting deviceinformation or diagnostics to an administrator; and Securing the systemand its assets from threats and risks. This and all other referencedextrinsic materials are incorporated herein by reference in theirentirety. Where a definition or use of a term in an incorporatedreference is inconsistent or contrary to the definition of that termprovided herein, the definition of that term provided herein applies andthe definition of that term in the reference does not apply.

The mix of prior art management equipment described above—networkswitches, terminal concentrators, KVM switches, etc.—can perform some ofthese functions, but each does so in a different way. Consider as atypical example a server where day-to-day management activity takesplace via a KVM switch, with an administrator running a KVM clientapplication on their management console. If the operating system shouldappear nonresponsive, the administrator would need to run a “telnet”application to try to communicate with the server via serial portconnected to a terminal concentrator chassis. And as a last resort,running an IPMI client application could be needed to remotely resetpower to the computer. Keeping track of which computer is being managedby what administrative application using which interface chassis at whatnetwork address and port number can be enormously time-consuming andexpensive, particularly when configurations are changing rapidly. Andthis heterogeneous and ever-changing environment makes it difficult toautomate the computer system management process by using software agentsto reduce personnel costs.

A device which integrates all of the various connections required forcomputer system management could have a single network address, throughwhich any management operation could be performed—no sorting out anintermediate layer of multiple single-interface chasses, each of whichcarries its own address. Through that single address, a commonapplication interface could be presented to the remotely connected humanor mechanized system administrators. With an embedded processingelement, the device could also locally automate various managementfunctions, reducing the workload on those administration resources.

SUMMARY OF THE INVENTION

The present invention provides methods and apparatus for interfacing acomputer's keyboard/video/mouse, serial, and/or network management LANports to one or more administration network ports. In a preferred classof implementations, referenced herein from time to time as a UniversalComputer Management Interface device, an internal processor runningappropriate software allows a user (human or automated) connected overthe network to access any or all of the computer management connectionsusing standard tools such as a web browser. The processor can alsoexecute scripts or otherwise make decisions based upon the data comingfrom those connections. Unlike prior art devices such as KVM extendersor terminal concentrators that can also perform some of these functions,the present invention incorporates an internal Ethernet packetforwarding functionality, and the new device has low enough powerrequirements to be powered from the attached computer rather than anexternal AC-DC converter.

In one aspect of preferred embodiments, the device has two externalEthernet ports, with one available for the administrative networkconnection and one available for connection to a computer's dedicatedLAN management port. Internally, both ports are connected with eachother and the CPU using a hardware switch, allowing wire speed datatransfer among all three. Prior art devices such as the commerciallyavailable SLK1 from Lantronix of Irvine, Calif., Dominion KX101 fromRaritan Corp. of Somerset, N.J., or Switchview IP from Avocent Corp. ofHuntsville, Ala. lack the second Ethernet port and hence cannotaggregate a LAN management port with the other OOB managementinterfaces.

If a particular computer does not have a LAN management port, analternative use for the second Ethernet port is to provide fordaisy-chaining the devices. Daisy-chaining refers to connection fromdevice to device to device, with only the end of the chain beingconnected to the outside network, as opposed to the more typical starcabling configuration where each device individually physically connectsto the outside network. FIGS. 6 a and 6 b show the difference in cablingtopologies. U.S. patent application Ser. No. 11/273,791 entitled “DaisyChaining Device Servers via Ethernet,” filed Nov. 14, 2005, discloses asimilar daisy-chaining applied to serial-to-Ethernet device servers, theentire disclosure of which is incorporated herein by reference.Daisy-chaining may be advantageous in minimizing cabling outside of acabinet where a number of the Universal Computer Management Interfacedevices are located, as well as reducing the number of outside networkswitch connections required. Note that while the physical configurationof devices daisy-chained together may appear as a serial string ofunits, it is in the nature of Ethernet that logically to the outsidenetwork there is no difference between that and a star, orpoint-to-point, wiring configuration. If the devices are connected in adaisy-chain fashion, one embodiment could include an algorithm such asSpanning Tree to be incorporated in the switch function so that thedaisy-chain could be connected in a loop or with two outside networkconnections for failure resiliency. In other embodiments, the internalEthernet packet forwarding functionality could also be implemented as ahub function or a router function.

As used herein, the term “Ethernet packet forwarding functionality”means any functionality, which could be implemented in hardware,software, or combination of the two, which forwards Ethernet packetsbetween or among a plurality of ports, regardless of whether thefunctionality is operating at a link layer (layer 2) or network layer(layer 3), or otherwise.

Additional contemplated embodiments include three or more externalEthernet ports so that both a management port and daisy-chain connectionare concurrently available, or for redundant individual connections tothe outside network. None of these capabilities are available with priorart KVM devices.

In another aspect of a preferred embodiment, the computerkeyboard-video-mouse interface comprises a USB connection, plus ananalog VGA video input. USB keyboard and mouse support has been presentin computers for several years, and provides more efficient cabling thanthe older PS/2 interface. Another contemplated embodiment could utilizePS/2 connections for keyboard and mouse, for those older computerslacking USB ports. If the KVM interface is to be used for monitoringonly and not for input to the computer, the “KM” connections could bedispensed with entirely. Analog VGA video is digitized by anAnalog-to-Digital (A/D) converter IC internal to the Universal ComputerManagement Interface device before being digitally processed fortransmission over the network. In another embodiment, the videoconnection could be Digital Visual Interface (DVI) or High-DefinitionMultimedia Interface (HDMI), eliminating the need for an A/D converter.

In another aspect of a preferred embodiment, a serial RS-232 port isprovided for connection to a computer COM port. Other contemplatedembodiments of the current invention could include additional serialports, for communication with peripherals such as remote-controlledpower strips. Additional electrical standards for serial communicationssuch as RS-422 or RS-485 could also be implemented.

In still another aspect of a preferred embodiment, the device draws 5VDCpower from the connected computer via the keyboard/mouse USB port; asecond USB connection is provided in case a particular computer isincapable of supplying sufficient power over a single USB line. Othercontemplated embodiments could use power from PS/2 keyboard/mouseconnections, the video port, the serial port, the. Ethernet port, or aDC power connector, either alone or in combination with one another.

As convenience is a key attribute of the device, size matters. Prior artdevices for OOB management typically have either rackmount or tabletopmetal chassis of 500 cm³ or more and weighing upwards of 1 kg. Preferredembodiments would have a housing of less than 200 cm³; and mostpreferred would be less than 100 cm³ so that it could hang from anattached computer on its own cabling. The initial embodiment has ahousing with a volume less than 75 cm³ and weighs less than 500 g. Othercontemplated embodiments could include mounting multiple units in achassis or integrating hardware for attachment to rack rails.

The Universal Computer Management Interface device can advantageouslyincorporate an embedded processor running software that allows clientusers connecting over the network to exchange data with the attachedcomputer via one or more of the management connections described above.Such software preferably implements standard networking protocols andapplications including but not limited to IP, TCP, UDP, HTTP, SSL, SSH,and telnet as appropriate to the type of user-to-system connectiondesired. For example, a user may want to use a text command-linecommunication via the serial port; the device supports this via telnetor SSH servers, which in turn use TCP and IP protocols. In addition tofacilitating direct data exchange between an administrator and thecomputer management ports, the internal processor can perform protocolconversions or execute proxy applications. For instance, anadministrator desiring to utilize the KVM interface could communicatewith the device over the network connection by using a web browser; thedevice has an internal web server that uses HTTP to present web pagesderived from the digitized video input. In another example, thenon-human-readable IPMI standard protocol, Microsoft EmergencyManagement Services Protocol, or a manufacturer-specific proprietaryprotocol communicated with the computer via the serial port could betranslated into a graphical web page to be presented to theadministrator network connection.

The existence of a processing element also allows the Universal ComputerManagement Interface to intelligently perform rule-based MILARRSfunctions. As one simple example, the device could be instructed to useits mouse emulation to move the cursor on a periodic basis, and examinethe video to verify that the cursor has indeed moved. If it has not, thepresumption would be that the attached system had hung, so the devicecould sent out an SMNP alert to the administration network and thenreset the computer using IPMI over its serial port.

The foregoing are, of course, examples rather than limitations of theways in which the programming of a Universal Computer ManagementInterface can allow a human or automated administrator remotelyconnected over the network to interact with the various computermanagement ports, or how it can reduce the burden on the remoteadministrator by intelligently acting on its own. Various objects,features, aspects and advantages of the present invention will becomemore apparent from the following detailed description of preferredembodiments of the invention, along with the accompanying drawings inwhich like numerals represent like components.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic of various prior art management tools and theirinterfaces.

FIG. 2 is a schematic of prior art system management equipment andconnections.

FIG. 3 is a schematic of connections between a preferred UniversalComputer Management Interface and a typical computer, with a remoteadministrator connected.

FIG. 4 are perspective and side views of the device of FIG. 3.

FIG. 5 is a perspective view of a multi-unit chassis embodiment of aUniversal Computer Management Interface.

FIG. 6 a is a schematic of a prior art star cabling topology.

FIG. 6 b is a schematic of a daisy-chained topology.

FIGS. 7 a and 7 b are schematics of a preferred Universal ComputerManagement Interface used in association with: (a) a dedicatedmanagement LAN port; and (b) a shared main LAN port, respectively.

FIG. 8 is a schematic of a simple block diagram of a preferred class ofUniversal Computer Management Interfaces, indicating inputs and outputs.

FIG. 9 is a more detailed block diagram of a preferred UniversalComputer Management Interface, indicating internal elements of thedevice.

FIG. 10 is a schematic showing a power circuit portion of a preferredUniversal Computer Management Interface showing multiple contemplatedpower sources.

DETAILED DESCRIPTION

FIG. 1 provides an overview of the types of computer system managementtechniques and interfaces used when the computer is in various states ofstability 10 ranging from operating system and hardware fullyfunctional; through partial failure of the OS while hardware remainsgood; down to complete failure of either the OS or computer hardware.When the system (OS plus hardware) is operating normally, Graphical UserInterface tools 11 provide the most powerful and easy-to-use functions.As all system facilities are available, administrators can utilize theirchoice of management hardware interfaces. Most common is the normal userKVM interface 14 consisting of video 15 output with keyboard 16 andmouse 17 inputs. For security purposes, many higher-end servers supporta dedicated management LAN port 18 separate from the main (user data)LAN connection. However, this increases the installation complexity andhence many smaller facilities simply manage their computers via the mainLAN connection 19, sharing management and user data on the sameconnection.

In the not-infrequent situation where some but not all of the operatingsystem's components are dysfunctional, the complex GUI toolkit may beunavailable. For that situation, Microsoft provides what they callEmergency Management System tools 12. This toolkit requires minimumresources and can function in many situations where the GUI cannot. Itprovides much more limited text-based command line capability,principally designed to diagnose the fault and get the computer back upand running One of the ways in which it minimizes the need for systemresources is by utilizing a simple serial connection 20 on one of theCOM ports. If user data also uses this COM port, there is a mechanismfor it to be shared, with EMS taking it over under certaincircumstances. Note that Unix and Linux administrators typically prefertext based command line utilities for their day-to-day work, so theserial connection 20 is used even when the system state is fully stable.

If the computer CPU itself has failed, or the OS is totally down, eventhe limited communication offered via the serial port is not available.In order to manage computers even under these conditions, independentservice processor hardware running its own software toolkit 13 isprovided in most higher-end servers. Depending upon manufacturer, anumber of connectivity options are available for communication with theservice processor. There may be a dedicated serial port 21, independentof the computer COM ports. Or the dedicated management LAN connection 18can be used. And, with the latest hardware and software, a mechanism hasbeen defined whereby the main LAN port 19 can have management dataintended for the service processor interspersed with the user data, withthe computer's internal Ethernet hardware capable of directing that datato the service processor even if the main CPU is disabled.

FIG. 2 shows a typical prior art solution to connecting these variousinterfaces. In order for system administrators to have access to a largenumber of computers, it is desirable to make any of the hardwareinterfaces described above available over a network. For security, theadministrative management network 50 is generally separate from theprimary user data network, although this need not always be the case.Equipment is needed to translate management data communicated viavarious hardware interfaces into network-based data packets. Usually,the connectors are mounted on the computer's back panel 30. In thesimplest case, a dedicated management LAN port 36 is connected by anEthernet cable 18 directly to an Ethernet switch 43, which is part ofthe Ethernet-connected 40 administrative network 50. A shared ordedicated serial port 35 has an RS-232 electrical connection whichrequires hardware translation and protocol conversion. A serial cable 20connects the COM port to a piece of equipment known as a terminalconcentrator or console server 42. This device provides serialconnection to a number of computers, and converts the serial data streamfrom each into a form suitable for networking. The terminal concentratorhas one or more Ethernet connections 40 to the administrative network50.

The KVM interface is a bit more complex. The computer has a monitor port31 for outputting video 15; the video is a low voltage level analogsignal and operates at a very high speed hence is limited in thedistance that can be supported. Older computers provide for what iswell-known as the PS/2 interface for keyboard 33 and mouse 34connections. The PS/2 interface is a low-level clocked serial protocol,not compatible with the COM serial port, and also quite limited indistance. Newer computers almost universally have one or more USB ports32 which can support keyboards and mice via that connection. Prior artKVM products frequently consist of two pieces of equipment, atransceiver 37 that is capable of extending the distance from thekeyboard, video, and mouse ports far enough to reach a KVM switch 41.Video 15 from the monitor port is amplified and turned into adifferential signal in the transceiver, which combines it with USB data22 or PS/2 keyboard 16 and mouse 17 data into a custom format running onKVM cable 38. The KVM switch 41 electrically interfaces to a number ofthese KVM cables, digitizes, formats, and packetizes the video and makesit available via one or more Ethernet connections 40 to the adminnetwork 50. It receives and interprets packets from the network, anduses that information to emulate keyboard and mouse signals that itsends to the transceiver 37 for presentation to the respective ports. Itthus “fools” the computer into thinking that a physical keyboard andmouse are directly connected, while in fact the administrator ultimatelyproviding the keystrokes may be anywhere in the world with a networkconnection.

Thus, the typical prior art solution requires three specialized piecesof equipment to handle all OOB management interfaces: KVM switch 41, KVMtransceiver 37, and terminal concentrator 42. Additionally, three portswill be used on the Ethernet switch, hub, or router supporting theadministrative network (for KVM switch, terminal concentrator, anddirect management LAN connections.)

FIG. 3 shows the improvement brought on by the present invention. Asbefore, the computer back panel 30 with management LAN 36, serial COM35, USB 32, and monitor video 31 ports is shown (keyboard and mousesupport via USB is assumed, so PS/2 connections are not shown forsimplification.) The present invention, Universal Computer ManagementInterface 60, has short cables for physically connecting to monitor,USB, and COM ports. It also has two RJ-45 Ethernet jacks, one of whichconnects via Ethernet cabling 40 to the administrative network 50, andone of which can be used to connect to the management LAN port 36.Instructions 91 provided to the user/administrator would explain thevarious ways in which the device can be connected. A systemadministrator 90 can be located anywhere in the world, connected bylocal or wide area network 52 in order to access any of the computer'smanagement connections via the one device. It therefore replaces thethree pieces of specialized equipment required by the prior artsolution, and reduces the required number of administrative networkswitch ports from three to one.

FIG. 4 shows perspective and cutaway side views of the preferredembodiment. The active elements are enclosed within a housing 200 (about65 cm³, roughly the size of a candy bar), to which is attached astrain-relieved cable bundle 220. The cables, approximately 30 cm long,are terminated in USB connectors 203 and 204, a DB-9 serial connector205, and an HD-15 video connector 206 for connection to the appropriatejacks. Two RJ-45 jacks are provided, 201 and 202, for Ethernet LANconnections. In a preferred embodiment, the RJ-45 jacks includeindicator LEDs 210 showing network status. In the side view, the housing200 is cut away to show the two circuit boards, a CPU board 100 and aperipheral interface board 101 to which the cable bundle 220 andEthernet jacks 201 are internally attached. The whole device is lightenough that the cable assembly can easily support its weight, but thereis also provision for securing it inside a rack using cable ties. Othercontemplated embodiments may have embedded connectors rather than anattached cable assembly, or have a cable assembly in lieu of the RJ-45jacks. As server densities increase in the future, there is also acontemplated embodiment where the boards either with or without ahousing are installed in clusters in a chassis. FIG. 5 shows such amulti-unit product 230, where a rack-mount chassis 231 contains multipleinstances of the electronics 232.

Careful observation of FIG. 4 will reveal two of the inventive elementsdistinguishing the Universal Computer Management Interface device fromprior art devices such as single-channel KVM extenders. First, thepresent invention draws power from the attached computer over one orboth of the USB connections 203 and 204, eliminating the need for abulky external power supply. Virtually all computers manufactured inthis millennium have one or more USB connections, and the USBspecification requires that each be capable of supplying a minimum of500 mA at 5VDC. As the components used in the initial implementationrequire slightly more power than this, a second USB connection isprovided so as to acquire additional power. Future implementationsutilizing less power will eventually eliminate the need for this secondconnection. While the preferred embodiment utilizes only power obtainedvia USB connections, other sources of power may be contemplated. Thevideo port on modern computers is capable of supplying 5VDC@300 mA, andcertain serial ports carry power as well. For legacy computers lacking aUSB connection, power could be drawn from the PS/2 keyboard and mouseinterfaces. Or an auxiliary power supply may be provided, either PowerOver Ethernet or an AC-DC converter plugged in to a DC power connector,so that if the computer's main power is lost and hence the USB unable tosupply power, the unit will still be able to operate.

Second, there are two RJ-45 Ethernet jacks, which are coupled to oneanother and the device's processor via an internal Ethernet switch IC.Prior art devices have only had one external Ethernet port, which isused to connect the unit to the network. By providing a second Ethernetport, the present invention has several significant advantages as theconnection can be used in a number of ways. FIG. 6 a and FIG. 6 billustrate one of these advantages. In FIG. 6 a, a prior art KVMextender device 64 has one Ethernet port which must connect 40 to theadministration network 50 in order to access and use the device. Hence,each unit has its own connection, resulting in n devices requiring ncables and n switch ports on the admin network. In FIG. 6 b, the presentinvention, the first Ethernet port 40 in the first device 60 goes to theadmin network 50. The second Ethernet port can connect 65 to the firstEthernet port in the next device and so on through n devices, in what iscalled a “daisy-chain.” Since the larger site configurations entailputting many servers in one rack, all of the Universal ComputerManagement Interface units attached to those servers within a rack couldbe daisy-chained together with short cables, reducing the number ofnetwork cabling connections outside the rack (and network switch ports)to one. For redundancy, a second network connection 66 could be made tothe last device in the chain so that failure of any one device ordaisy-chain connection would not affect the entire string. In operation,the internal switch can implement a standard and well-documentedfunction known as Spanning Tree Protocol to allow redundant connections,which normally are prohibited on an Ethernet network.

FIG. 7 a and FIG. 7 b show alternative uses for the second Ethernetport. In FIG. 7 a, the invention can connect 18 to a computer's 30dedicated Ethernet management network connection 36. In FIG. 7 b, alow-end computer such as a PC may not have a dedicated management LANport, and security of management data is not a concern. In thatsituation, the Universal Computer Management Interface 60 can providethe convenience of combining its data with that from a short connection52 to the main (user data) LAN port 37, allowing a single connection 40to the user network 51, rather than the device and computer each havingits own connection to the user network.

In all of the figures showing an Ethernet connection to a network, theadministrative network 50 or user network 51 is shown as a cloud, aconvention familiar to those versed in the technology. The cloud as avisual device is used to indicate that while the internal structure ofthe network may be complex and vary significantly from one applicationto another, it is not relevant to the understanding of what is otherwisebeing illustrated. In this case, the network cloud could be a local areanetwork limited to one site, or a wide area network reachable fromanywhere in the world, or even a single administrative computer (such asa notebook PC) directly connected, and the phrase “admin network” or“user network” should not be taken as limited to one or more specificnetwork configurations. Similarly, a “remote” user or administratorrefers only to the connection via network rather than physicallyattached peripherals, and whether managed computer and administrator aredirectly adjacent or across the continent is irrelevant.

While the initial embodiment only has two external Ethernet ports,requiring a choice between one of the uses outlined above, alsocontemplated are embodiments that incorporate three or more Ethernetports; Such a version could not only implement all of thoseconfigurations concurrently, but also perform any packet processing andforwarding operation that a commercial Ethernet switch can perform.While the preferred embodiment uses a hardware Ethernet switch IC, otherpacket forwarding functionalities such as hubs and routers can beenvisioned, as well as the potential to integrate the packet forwardingfunctionality into the processor's hardware or software.

FIG. 8 shows a simplified block diagram of the present invention 60.Various types of mixed-signal (analog and/or digital) integratedcircuits comprise the electrical interface section 63. Among the myriadpossible connections are video connection 15, USB connection 22, andserial COM 20 ports, and Ethernet connection 18 and 40. Among otherthings, the interface section 63 converts signal levels to thosesuitable for digital processing. A processor section 61 performs driverfunctions related to that received and transmitted data, such ascompression of the video, keyboard and mouse emulation, and protocolconversion of the serial data. It also executes software that includesan operating system with network protocol stack, web server, serial(telnet) server, and other applications that provide networkconnectivity and user interface. It also may serve up Java applets orActiveX controls, software which is downloaded to and executes on aremote client PC. An Ethernet switch section 62 connects the processorwith two externally accessible Ethernet ports.

FIG. 9 shows a more detailed look at the preferred embodiment. In theinitial embodiment, there are two printed circuit boards. The CPU board100 contains the main processing System On Chip (SoC) 102 and memory. Aperipheral interface board 101 gathers together the switch function 114with the other hardware-specific electrical interface components. It isenvisioned that various versions of the device could be produced fordifferent computer hardware configurations by keeping the CPU boardstandard and just developing different peripheral interface boards andassociated driver firmware, or all elements could be mounted on onecircuit board.

The primary processing element in the initial implementation is a SoCnamed the KIRA 100, commercially available from Peppercon AG of Zwickau,Germany. A similar device (N2533A) is available from Avago Technologies(formerly Agilent) of San Jose, Calif.; at the time of initial designthe KIRA part was selected as it was more cost-effective and had betterperipheral interface functionality but either device would have worked.The KIRA is based around an ARM CPU 103 linked to a peripheralcontroller section 104 via internal AMBA (Advanced Microcontroller BusArchitecture) APB and AHB buses (Advanced Peripheral/High-speed Bus.)The peripheral controller section has two USB controllers, two serialUARTs, and Ethernet MAC, among other functions. A third section of theSoC provides video processing 105 which encompasses a number of highlycompute-intensive low-level functions that can be offloaded from the ARMCPU for improved performance. These functions include comparing videoframes bit-by-bit to determine changes; compressing that changeinformation into a particular coding format; and packetizing thatinformation in such a way that a remote client will ultimately be ableto decompress and reconstruct the video frames.

The ARM CPU in a preferred embodiment runs at 190 MHz, and includes 16Kbyte instruction and data caches along with an SDRAM controller. Theexternal SDRAM 107 allocated to the CPU core comprises one 8 Mb×32, Insdevice, Micron 48LC8M32B2 or equivalent, for a total of 32 Mbytes. TheCPU also accesses one 4Mb×16 flash memory 108, AM29LV640 or equivalent,a total of 8 Mbytes. This is expandable to 16 Mbytes by using a largercapacity device.

The video processing logic accesses its own SDRAM 106, 2 Mb×32 InsMicron 48LC2M32B2 or equivalent for a total of 8 Mbytes. This memory isused by the video processor to store video frames and as general purposescratchpad memory without having to contend with the ARM CPU for memoryaccess.

The KIRA comes in a 484 pin FBGA package, 23×23 mm in outline.Peripheral I/Os utilize 3.3V while the core operates at 1.8V. Outside ofthe KIRA core, all other integrated circuits on both interface and CPUboards operate at 3.3V. Power from the USB 22 is specified at 5V DC,with a maximum of 500 mA available. This is split off from the USB dataand carried 120 to a dual-output DC-DC switching regulator 111. This isimplemented with a Linear Technology LTC3417, a device which operatestypically with 90% conversion efficiency. Taking into account the amountwasted in the conversion, a preferred embodiment requires approximately3 watts of power from the attached computer. This is more than the 2.5watts nominally available from a single USB connection, although manycomputers can provide more than the specified minimum. In order to getsufficient power under all circumstances, a second USB connection isprovided 125 which thus doubles the available power to 5.0 watts. Thetwo USB power inputs are combined together with MOSFETs, which alsoreduces conversion efficiency, but a minimum of 3.5 watts is availableunder worst case conditions. It is envisioned that as ICs consuming lesspower become available, the second USB connection can be eliminated infuture embodiments. The outputs of the switching regulator are 1.8V 131for the KIRA core supply, and 3.3V 130 for all other power requirements.

In a preferred embodiment, the video coming from the computer is analogVGA 15. This must be digitized in order for further processing to takeplace. This digitization takes place in video analog-to-digital (A/D)converter 109, an Analog Devices AD9888. This is available in speedgrades up to 205 Msps, allowing digitization of 1600 pixel×1200 pixelvideo at 8 bits deep; for cost reasons the present invention uses lowerspeed grades capable of digitizing 1280×1024 or 1024×768 video. Theoutput of the AD9888 to the video processor is 48 bits wide digitalvideo 121, 16 bits each for Red, Green, and Blue running at half the rawvideo pixel rate. Control of the AD9888 comes from the KIRA via 12C bus122; this includes initial setup and detailed sampling parameters basedon scan rate recognition. Future embodiments could have a digital videoinput such as DVI or HDMI, which would eliminate the need for the A/Dconverter.

The KIRA's peripheral controllers include a complete USB host controllerwith transceiver level shifters, so that it may be connected directly tothe USB cabling 22 to provide keyboard and mouse emulation. Firmwarerunning on the CPU provides the needed intelligence to put togetherappropriate USB data streams designed to spoof the attached computerinto thinking a USB keyboard and mouse are physically connected. Whilethe combination of video input and keyboard and mouse emulations isgenerally known as a “KVM interface,” there are environments where onlymonitoring of the video may be required, so the keyboard and mouse isoptional. In those cases, the only function of the USB cabling would beto access power. In other contemplated embodiments, the USB keyboard andmouse connection could instead be implemented as native PS/2 keyboardand mouse interfaces. This preferably be implemented with a smallmicrocontroller (such as an Atmel Atmega) running firmware to do thelow-level PS/2 emulation, rather than burden the main CPU with“bit-banging” the clock and data lines comprising PS/2 interfaces. Asmentioned, the second USB cable 125 has no data connections, and servesonly as an supplementary source of power; this could also be required inthe contemplated PS/2 embodiment.

A key inventive element of the Universal Computer Management Interfaceis the inclusion of an Ethernet packet forwarding functionality 114which in this case is a hardware switch IC. The peripheral controllersection of the KIRA includes a 10/100 Ethernet Media Access Controllercoupled internally to the ARM CPU via the AHB bus and presenting a MediaIndependent Interface (MII) 124 outside the chip. In prior art devicesusing similar processors to perform some of the same functions as thepresent invention, the MII would be connected to an Ethernet PHY(physical layer) IC to provide the signal conditioning required toattach to the commonly used twisted-pair Ethernet network. In thepresent invention, instead of using a PHY which would just provide asingle Ethernet port, an Ethernet switch 114 is used. The currentembodiment uses a Micrel KS8993M, a full-featured 3 port managed switch.It has an MII on one port, which connects to the KIRA MII, and alsoincorporates two 10/100 PHYs. Computer Ethernet ports 1 and 2 40 connectto these two switch ports through transformer coupling well known tothose versed in the art, and thereby can communicate either with oneanother or with the CPU. Setup and control of the switch can be setstatically upon startup, or take place dynamically via an I2C bus 126from the KIRA CPU.

The particular switch used has an extensive feature set includingsupport for VLANs and management, along with provisions for implementingSpanning Tree Protocol. This flexibility allows for the variousapplications described above in FIGS. 6 a, 6 b, 7 a, and 7 b, such asdaisy-chaining of devices, to be implemented with minimum burden on theCPU.

In other preferred embodiments, the switch function may be incorporatedinto future versions of the CPU eliminating the separate switch IC, ormay include more than two external Ethernet ports. While a “switch” isreferred to here, other elaborations of packet handling functions suchas hubs or routers could be implemented in different embodiments.

Also contemplated is the use of wireless Ethernet or other current orfuture wireless standards for one or more of the network connections.For prior art KVM switches and similar products, wireless would havelittle or no benefit as there still would be the need for power cablingand connections between transceivers and switches. However, as thepresent invention draws its power from the attached computer and issmall enough to hang behind it, wireless connectivity would bring realadvantages. A hardwired Ethernet port to the computer being managedwould still be present; but using a wireless administration networkcould eliminate the cabling between each computer and the aggregationswitch for the network, along with all the associated switch ports. Theentire management network physical infrastructure in large server farmscould be eliminated, or (more accurately) reduced to a few wirelessaccess points. Security, of course, would be an issue in such aninstallation. In addition to any network layer security functionsimplemented on the wireless network, the firmware in the presentinvention supports application layer data encryption, hence making awireless network infrastructure a valid alternative to consider.

The RS-232 serial connection 20 to the computer's COM port or dedicatedserial management port requires signal conditioning provided by anRS-232 transceiver 113. This is implemented in a preferred embodimentwith a MAX3243E, which has internal charge pumps allowing it to operateon the 3.3V supply voltage and also is static-discharge protected to 15kV. The transceiver provides logic-level serial port 123 to the UARTembedded in the KIRA. Data rates up to 230 kbps are available on theRS-232 port. Another transceiver is optionally populated to provide asecond serial port for control of peripherals such as a battery backupunit or power strip.

FIG. 10 summarizes the various options different embodiments could havefor securing power, through design of the appropriate power conditioningcircuitry 140. The initial implementation uses first 22 and second 125USB connections, each of which can provide 500 mA@5VDC. An alternativecould be to use computer PS/2 mouse 17 and keyboard 16 connections; eachof those can supply 250 mA@5VDC. The VESA standard VGA video port 15 isspecified to provide at least 300 mA@5VDC. Power Over Ethernet is adefined standard capable of supplying approximately 13W; either or bothof the device Ethernet connections 40 could be used. The serial port 20has signals that can be called on to supply small amounts of power,possibly for a very low power future embodiment, or the port could useone or more pins to directly carry DC current in a proprietaryimplementation. And simplest of all, a connector could be provided fordirect DC connection 141 from an external supply such as a wall-plugAC/DC converter. By using the appropriate conditioning circuitry, morethan one of these inputs could be combined for additional power or forredundancy, with the ultimate result being 3.3V 130 and 1.8V 131 in theinitial implementation, or whatever other voltages would be required foralternative embodiments.

While the basic KVM human interface is pretty well standardized (“lookat video; make mouse movements or keystrokes in response to what yousee”), a variety of different management protocols can be communicatedover the serial or LAN connection depending on hardware manufacturer andoperating system in place. Typical of these are the Microsoft EmergencyManagement Services, Intelligent Platform Management Interface (IPMI),various Linux command line console utilities, and manufacturer-specificproprietary protocols. Software running on the device's CPU providesdifferent user interfaces from the administrative network to theseprotocols. Telnet or SSH provide tunneling for serial text over thenetwork to a remote administrator. The administrator could then run aterminal emulation application (such as Hyperterminal) to communicatewith the remote computer just as if the administrative computer's COMport was physically connected to the remote computer's serial port.Another piece of software running locally on the CPU can interpret IPMIdata, which is formatted in a non-readable protocol, and turn it into aweb page which can then be made available over the network by thedevice's web server software. For example, IPMI data from a sensormeasuring the temperature inside of the computer can be interpreted intoa picture of a dynamically changing thermometer. A remote administratorcan view this page using a standard web browser, and take action. Theaction may be to click on a radio button on the web page labeled “poweroff.” This button press is communicated back over the network to thedevice, which it then translates to the appropriate IPMI code for “turnpower off” and transmits out over the serial port.

As the present invention contains a 190 MHz CPU, another contemplatedelement is the addition of local intelligence which can make decisionsbased on the data seen on the various connections to the computer. Inthe above example, an agent running in the device could be charged withscanning the incoming IPMI data from the serial port to monitor thecomputer's internal temperature. It could be preprogrammed with a rulestating that “if temperature exceeds 40 C then turn the computer off.”If the set level was exceeded, the agent could send the appropriate IPMI“off” code to the serial port. It could then send an email to apreprogrammed address to notify an a human administrator (or anothersoftware agent) of the event.

Having hardware connections to all three management interfaces—serial,LAN, and KVM—with the data converging at the present invention enablesthe local CPU or other contemplated processing element to be programmedto implement many data processing functions not available on prior artdevices. Singly or in conjunction with one another, the data streams maybe filtered, translated, compressed, or otherwise altered. Securityfunctions such as encryption or authentication could be performed on rawor processed data passing between the various logical and physicalconnections. And as the device contains nonvolatile memory, internalstorage of data is also possible. On a higher level, softwareapplications running on the CPU with access to all of this data canlocally perform other management functions such as monitoring, assetinventorying, event logging, administrator alerting, automated recovery,information reporting, and system securing (MILARRS.) On a yet higherlevel, more sophisticated applications simulating the presence of humanadministrators could run on the local CPU, taking action based onanalyzing the data available to it and utilizing a set of programmedrules or policies. The simple IPMI temperature scenario laid out aboveshows how translated data is monitored and, based on a rule, results inactions including automated recovery and administrator alerting. Thislist of data processing and information management operations containsonly a few of the functions made possible by the convergence of allmanagement information through one locally attached intelligent device,and should be read as examples and not limitations.

Thus, specific embodiments and applications of a universal computermanagement interface apparatus and methods have been disclosed. Itshould be apparent, however, to those skilled in the art that many moremodifications besides those already described are possible withoutdeparting from the inventive concepts herein. The inventive subjectmatter, therefore, is not to be restricted except in the spirit of theappended claims. Moreover, in interpreting both the specification andthe claims, all terms should be interpreted in the broadest possiblemanner consistent with the context. In particular, the terms “comprises”and “comprising” should be interpreted as referring to elements,components, or steps in a non-exclusive manner, indicating that thereferenced elements, components, or steps may be present, or utilized,or combined with other elements, components, or steps that are notexpressly referenced.

1. A device for managing a computer, comprising: an article ofmanufacture including a processing element, first and second Ethernetports, a video port, a serial port, and an Ethernet packet forwardingfunctionality that is operatively coupled with the first and secondEthernet ports; and wherein the processing element is programmed tofacilitate a user communicatively connected to the device over the firstEthernet port to communicate information with the computer via at leastone of the second Ethernet port, the video port, and the serial port. 2.The device of claim 1 further comprising at least one of a keyboardinterface and a mouse interface, which communicates with the processingelement.
 3. The device of claim 2 further comprising circuitry that iscapable of receiving DC power from the computer over at least one of thekeyboard and mouse interfaces.
 4. The device of claim 2 wherein at leastone of the keyboard and mouse interfaces is made via a first UniversalSerial Bus (USB) connection.
 5. The device of claim 1 further comprisingfirst and second USB connections that can provide power to the device.6. The device of claim 1 further comprising a PS/2 interface that canprovide power to the device.
 7. The device of claim 1 further comprisinga PS/2 interface and a USB interface, each of which can provide power tothe device.
 8. The device of claim 1 wherein at least one of theEthernet ports can provide power to the device.
 9. The device of claim 1wherein the video port can provide power to the device.
 10. The deviceof claim 1 wherein the serial port can provide power to the device. 11.The device of claim 1 further comprising a DC power connector other thanthe Ethernet ports, the video port, and the serial port.
 12. The deviceof claim 1 wherein the video port includes circuitry that processesanalog signals.
 13. The device of claim 1 wherein the video portincludes circuitry that processes digital signals.
 14. The device ofclaim 1 further including a wireless network connection operativelycoupled to the Ethernet packet forwarding functionality.
 15. The deviceof claim 1 wherein the processing element operates software thatcommunicates with the computer using at least one of a IPMI standardprotocol, a text command line protocol, a Microsoft Emergency ManagementServices (EMS) protocol, and a manufacturer-specific protocol.
 16. Thedevice of claim 1 further comprising a second serial port, wherein theprocessing element is further programmed to facilitate the user tocommunicate the information with the computer via the second serialport.
 17. The device of claim 1 wherein the Ethernet packet forwardingfunctionality is implemented in an integrated circuit.
 18. The device ofclaim 1 wherein the Ethernet packet forwarding functionality includes atleast one of a switch function, a hub function and a router function.19. The device of claim 1 further comprising a housing having a volumeof less than 100 cm³, which houses the article of manufacture.
 20. Thedevice of claim 1 further comprising multiple ones of the articles ofmanufacture.
 21. A method comprising: providing a device that includesfirst and second Ethernet ports, a video port, and a serial port; andremotely managing a computer by remotely connecting the user through thefirst Ethernet port, and communicating with the computer via at leastone of the second Ethernet port, the video port, and the serial port.22. The method of claim 21 further comprising including in the device anEthernet packet forwarding functionality that is operatively coupledwith the first and second Ethernet ports.
 23. The method of claim 21further comprising connecting the device to the computer through thesecond Ethernet port.
 24. The method of claim 21 further comprisingconnecting the device to the computer through the video port.
 25. Themethod of claim 21 further comprising connecting the device to thecomputer through the serial port.
 26. The method of claim 21 furthercomprising providing instructions to the user for connecting the deviceto the computer.
 27. The method of claim 21 further comprising includingin the device a processing element that is programmed to execute afunction selected from the list consisting of: translating,reformatting, filtering, altering, encrypting, compressing,authenticating, signing, and storing data communicated between thedevice and the computer.
 28. The method of claim 21 further comprisingincluding in the device a processing element that is programmed toexecute a management function not native to the computer, selected fromthe list consisting of: monitoring computer system state, inventoryingsystem assets, subsystems or components, logging data, alerting anadministrator of system state, recovering the computer from an abnormalcondition, reporting system information, and securing the computer. 29.The method of claim 28 further comprising the processing elementperforming at least one of the management functions locally to thedevice according to a set of stored rules or policies.